Npm audit pipeline is an npm library that can be used in your CI pipelines to determine whether your packages have any vulnerabilities and failing over if so. It supports package manager's npm, yarn and pnpm
$ npm i npm-audit-pipeline --save-devIn its simplest form you can it to the package.json script section like so:
"scripts": {
"package-audit": "npm-audit"
}Then you can run as:
$ npm run package-auditIf required you can also specify how many errors are allowed to be passed through for each vulnerability level. By default all levels are set to 0. For example:
$ npm-audit --low=4 --moderate=3 --high=2 --critical=1This means if there are 4 low level, 3 moderate, 2 high and 1 critical vulnerabilities when packages are checked then it will pass. If in a situation there are 5 low level vulnerabilities then it will fail because its greater than 4 specifed in the arguments
$ npm-audit --shouldWarn shouldWarn flag means the vulnerablities will be logged to stdout however the pipeline will successfully pass
$ npm-audit --retry=10retry flag means the number of retry attempts to fetch npm audit if it fails to retrieve the data
$ npm-audit --package-manager=yarnpackage-manager flag means you can specify other package managers if your not using npm which is default. The current supported values are npm, yarn and pnpm.
npm-audit-pipeline is Apache 2.0.